The above code first derives a "raw hash" (256-bit key), which is argon2-based key derivation, just like with scrypt. It also derives a "argon2 hash", which holds the algorithm parameters, along with random salt and derived key. The later is used for password storing and verification. Finally, the calculated hashes are tested agains a correct and wrong password.

Note that the argon2 hash in the above output is written in a standardized format, which holds the Argon2 algorithm config parameters + the derived key + the random salt. By design, the salt and the derived key should be different at each code execution.

Try to execute the above code several times to ensure that the derived key will be the same (because the salt is fixed) and the derived argon2 hash will be different at each execution (because a random salt is generated internally by the algorithm).

Try to change the time_cost or the memory_cost settings and see how they affect the execution time for the key derivation.

Storing Algorithm Settings + Salt + Hash Together

In many applications, frameworks and tools, Argon2 encrypted passwords are stored together with the algorithm settings and salt, into a single string (in certain format, like it was shown above), consisting of several parts, separated by $ character. For example, the password p@ss~123 can be stored in the Argon2 standard format like this (several examples are given, to make the pattern apparent):

All the above hashes hold the same password, but with different algotihm settings and different salt.

When to Use Argon2?

When configured properly Argon2 is considered a highly secure KDF function, one of the best available in the industry, so you can use it as general purpose password to key derivation algorithm, e.g. to when encrypting wallets, documents, files or app passwords. In the general case Argon2 is recommended over Scrypt, Bcrypt and PBKDF2.